IETF Logo Mail Archive

Re: [jose] Should we delete the "typ" header field

"Jim Schaad" <ietf@augustcellars.com> Wed, 29 May 2013 23:44 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54CD921F9524 for <jose@ietfa.amsl.com>; Wed, 29 May 2013 16:44:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.412
X-Spam-Level:
X-Spam-Status: No, score=-3.412 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kB6HAe2jxxr for <jose@ietfa.amsl.com>; Wed, 29 May 2013 16:44:14 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id 81CAA21F9600 for <jose@ietf.org>; Wed, 29 May 2013 16:44:14 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 12AD438EA7; Wed, 29 May 2013 16:44:14 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943677C5499@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943677C5499@TK5EX14MBXC285.redmond.corp.microsoft.com>
Date: Wed, 29 May 2013 16:43:25 -0700
Message-ID: <030801ce5cc6$5064daf0$f12e90d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0309_01CE5C8B.A408E920"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQL+gOaQctokYsIF5NqCLBrsp9OxugFWla34lrHWBiA=
Content-Language: en-us
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2013 23:44:19 -0000

Can you justify why the JWT spec should not specify that  it should not be
"ctyp" : "JWT"?

 

Jim

 

 

From: Mike Jones [mailto:Michael.Jones@microsoft.com] 
Sent: Wednesday, May 29, 2013 4:24 PM
To: Jim Schaad; jose@ietf.org
Subject: RE: [jose] Should we delete the "typ" header field

 

"typ" is there so that there's a standard header parameter field for
declaring what the data structure is so that it's there for applications for
which this declaration is useful.  For instance, the JWT spec specifies that
"typ": "JWT" can be used to declare that the object is a JSON Web Token,
should that be useful in context.

 

For those of you who may not be aware of it, the JSON Web Signature and
Encryption Type Values Registry
<http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11#section-10
.2>  semantically ties short "typ" names to MIME types - so there's a
well-defined way that the types of JOSE objects relate to the
well-established MIME type system.  In fact, MIME types are explicitly
allowed to be used as "typ" values.

 

Ironically, there was actually a working discussion on this late 2011 and
early 2012 that resulted in the decision to keep "typ" in our specs, rather
than having the JWT spec define it, and that resulted in the creation of the
registry.  In that thread ("[jose] Comments on the -03 JSON Web Signature
document"), you wrote Jim:

 

[JLS] If it is believe that a parameter this list is going to be "commonly"
used by many different profilers, then I believe that the core items needs
to be done the in the base specification.  I would therefore not be in favor
of punting it out to somebody else.  The only exception would be if we are
going to have a very light core and a "real" core specs.  In this case the
very light core spec could punt to the "real" core spec.  Having said that I
think that a registry would be a good idea.

 

That's been the state of the "typ" parameter specs ever since - I believe
for the good reasons that you cited then.  I haven't heard anyone argue that
that reasoning was wrong - only that *their particular use case* may not
need a "typ" value.  Just because all use cases don't need it isn't a
sufficient argument to delete it and thereby hinder those that do.

 

                                                                -- Mike

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim
Schaad
Sent: Wednesday, May 29, 2013 3:03 PM
To: jose@ietf.org
Subject: [jose] Should we delete the "typ" header field

 

In reading the documents, I am trying to understand the justification for
having the "typ" header parameter in the JOSE documents.

 

The purpose of the field is to hold the type of the object.  In the past, I
believe that values which should now be placed in the cty field (such as
"JWT") were placed in this field as well.  However the parameter is optional
and an implementation cannot rely on its being present.  This means that for
all practical purposes all of the code to determine the value of the type
field from the values of the alg and enc fields.  If the field was mandatory
then this code would disappear at a fairly small space cost and I can
understand why the parameter would be present.

 

Can anybody justify why this field should be present in the document - or
should it just disappear?

 

Jim

v2.23.0 | Report a Bug | By Email